Tanzania Finance

Jul 31 2017

Stopping DDOS TCP SYN and UDP flood attacks – Information Security Stack Exchange #stopping #a #ddos #attack


Chances are these attacks will be done using IP spoofing, the first line of defence is encouraging your ISP to adopt BCP38 to avoid IP spoofing.

The problem with a Denial of Service attack is that often you need to prevent the malicious traffic from reaching you in the first place. You can not do a lot locally, but you can always opt in for a service like CloudFare (who also implement BCP38) as they can scrub these kind of packets before they reach you.

answered Apr 13 ’13 at 6:46

SYN Flood can be mitigated by enabling SYN Cookies. SYN Cookies prevent an attacker from filling up your SYN queues and make your services unreachable to the legitimate user.

On Linux, those are some settings you can use to enable and set up SYN Cookies efficiently:

To make those settings load automatically on startup, add those lines to the file /etc/sysctl.conf :

It is possible to protect a Windows box too, as its described in this article by Microsoft. Windows Vista and above have SYN attack protection enabled by default.

As of UDP flood, unfortunately there isnt much you can do about it. Howover, in a ICMP/Ping flood, you can setup your server to ignore Pings, so an attack will be only half-effective as your server won’t consume bandwidth replying the thousands of Pings its receiving.

You can do that by running this configuration:

And naturally, add this line to the file /etc/sysctl.conf :

But bewere some watchdog systems require ICMP Echo to be enabled in order to work. Some rent servers will require you to leave ICMP Echo enabled because of that. But you can still use iptables to disable Ping in only some interfaces.

On Windows this can be done with the command:

Windows Firewall must be active.

You must contact your ISP for assistance, there is nothing you can do. You must understand that even if you put rules to drop the malicous traffic, you would still receive it before the rule drop it. There is no way to prevent it from reaching your server. If the attacker is contacting you, I strongly recommend you ignore him and his damands. Don t even talk to him, giving attention to this kind of retard is doing exactly what they want. Havenard Apr 13 ’13 at 7:25

As an example of a severe UDP attack, I’m Senior Network Admin at a University in CA, and a couple days ago we had a severe UDP flood attack from no less than 553 separate hosts around the world. Yes really. I was only able to throttle down our (Large) incoming pipes from our provider and partially filter some of the incoming, and some of the resulting answering UDP. This is a really nasty attack vector. Still working on coming up with a better response countermeasures suite to deploy when this happens again.

answered Dec 12 ’13 at 21:22

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *